<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
On 22/05/2011 15:09, <a class="moz-txt-link-abbreviated" href="mailto:patrick.gaikowski@kaufland.com">patrick.gaikowski@kaufland.com</a> wrote:
<blockquote
cite="mid:OF6A079370.68DA6553-ONC1257898.004C3593-C1257898.004DCE06@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2">Hi,</font><br>
<br>
<font face="sans-serif" size="2">we engaged a company for
penetration testing of web applications and thats why i tried
to be prepared....</font><br>
<br>
<font face="sans-serif" size="2">I used the tool "burp suite"
which is a http/https proxy for intercepting web requests /
responses. </font><br>
</p>
<ul style="padding-left: 18pt;" type="disc">
<li><font face="sans-serif" size="2">i made a dropoff request
without username / password --> only ReCaptcha</font></li>
</ul>
</blockquote>
Definitely a bug, now fixed. Well done!<br>
<blockquote
cite="mid:OF6A079370.68DA6553-ONC1257898.004C3593-C1257898.004DCE06@de.int.kaufland"
type="cite">
<ul style="padding-left: 18pt;" type="disc">
<li>
<br>
</li>
<li><font face="sans-serif" size="2">i intercepted the POST to
dropoff.php</font></li>
</ul>
<br>
<i>(See attached file: dropoff)</i><br>
</blockquote>
Great, XML, my favourite. :-)<br>
<blockquote
cite="mid:OF6A079370.68DA6553-ONC1257898.004C3593-C1257898.004DCE06@de.int.kaufland"
type="cite">
<ul style="padding-left: 18pt;" type="disc">
<li><font face="sans-serif" size="2">in the tool you can send
the POST to the repeating module and modify the POST</font>
</li>
<li><font face="sans-serif" size="2">i was able the send the
upload a various times --> the limit will be the free
space on the host system --></font><font color="#ff0000"
face="sans-serif" size="2"> can be used for blow up the
system and perhaps crash the system</font></li>
</ul>
</blockquote>
If you don't complete the upload, then you will be able to do that.
Once the upload has finished, the auth code should be removed (and
now is! :-) (unless you're a logged in user, at which point we can
hunt you down anyway).<br>
I'm not particularly worried about attacks by logged in users. They
can just repeat the entire upload process as many times as they like
anyway, uploading either the same files or different files each
time.<br>
<blockquote
cite="mid:OF6A079370.68DA6553-ONC1257898.004C3593-C1257898.004DCE06@de.int.kaufland"
type="cite">
<ul style="padding-left: 18pt;" type="disc">
<li>
<br>
</li>
<li><font face="sans-serif" size="2">i was able to change for
example the email-address of the recipient (only the domain
defined in preferences.php) in the POST--> </font><font
color="#ff0000" face="sans-serif" size="2">can be used for
SPAM if the email domain is not configured correctly</font></li>
</ul>
</blockquote>
Agreed. You can indeed change the email address of the recipient in
the upload. But then again you can just make your automated hacking
system slightly more clever and do multiple uploads to anyone you
like in the the preferences.php configured domain. So I am not
worried about that either.<br>
<blockquote
cite="mid:OF6A079370.68DA6553-ONC1257898.004C3593-C1257898.004DCE06@de.int.kaufland"
type="cite">
<br>
<font face="sans-serif" size="2">Is it possible to limit the
lifetime of the </font><font color="#ff0000" face="sans-serif"
size="2">auth-Parameter</font><font face="sans-serif" size="2">
to only one request? </font><br>
</blockquote>
Well spotted, yes that is a bug. Fixed. That should take care of the
multiple uploads exploits you found above too.<br>
<br>
Many thanks for finding these for me, it is much appreciated!<br>
<br>
Cheers,<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</body>
</html>